I've duplicated this in a Fedora-26 system running against an IdM install on RHEL 7.4 (ipa-server-4.5.0-21.el7.x86_64)
On the 7.4 server itself I created a new sub-ca named vpn with the subject CN=VPN.
I requested a cert similar to the reporter, just using the standard profile:
ipa-getcert request -r -f /etc/pki/tls/certs/`hostname`.crt -k /etc/pki/tls/private/`hostname`.key -N CN=`hostname` -D `hostname` -K host/`hostname` -T caIPAserviceCert -X vpn
And the subject is correct.
I did the same in an enrolled Fedora 26 client and the subject is from the primary CA.
The problem is:
[Fri Aug 04 16:13:28.812095 2017] [:error] [pid 14347] ipa: INFO: exception OptionError caught when converting options: Unknown option: ca
The correct option is cacn.
AFAICT he problem has been in certmonger since the introduction of the feature with commit 20a6536febf0815d0b3d301133820a46fdd6ef21
A patch that fixes this is in RHEL but apparently was never merged upstream.